NetScaler Gateway configuration for earlier versions

NetScaler Gateway configuration is supported for both Web/SaaS and TCP/UDP applications. You can create a NetScaler Gateway or update an existing NetScaler Gateway configuration for Secure Private Access. It is recommended that you create NetScaler snapshots or save the NetScaler configuration before applying these changes.

Important:

  • Support for TCP/UDP apps in addition to Web/SaaS apps is available starting from NetScaler Gateway version 14.1–25.56. However, Secure Private Access for TCP/UDP apps in hybrid deployments is supported from version 14.1–34.42 and this version significantly streamlines the configuration process.
  • Support for Web/SaaS apps is available from NetScaler Gateway versions 13.1, 14.1 and later.
  • For details about the NetScaler Gateway configuration, see Configure NetScaler Gateway.

Support for smart access tags

Note:

  • The information provided in this section is applicable only if your NetScaler Gateway version is before 14.1-25.56.
  • If your NetScaler Gateway version is 14.1–25.56 and later, then you can enable the Secure Private Access provider on NetScaler Gateway by using the CLI or GUI. For details, see Enable Secure Private Access provider on NetScaler Gateway.

In the following versions, NetScaler Gateway sends the tags automatically. You do not have to use the gateway callback address to retrieve the smart access tags.

  • 13.1–48.47 and later
  • 14.1–4.42 and later

The smart access tags are added as a header in the Secure Private Access provider request.

Configure Secure Private Access toggles

The following table lists the toggles that must be used to support smart access tags for hybrid deployments.

Toggle name Description
nsapimgr_wr.sh -ys call=ns_vpn_enable_spa_onprem Enable Secure Private Access for hybrid deployments
nsapimgr_wr.sh -ys call=ns_vpn_disable_spa_onprem Disable Secure Private Access for hybrid deployments
nsapimgr_wr.sh -ys ns_vpn_enable_spa_tcp_udp_apps=3 Enable TCP/UDP apps
nsapimgr_wr.sh -ys ns_vpn_enable_spa_tcp_udp_apps=0 Disable TCP/UDP apps
nsapimgr_wr.sh -ys call=toggle_vpn_enable_securebrowse_client_mode Enable SecureBrowse client mode for HTTP callout config
nsapimgr -ys call=toggle_vpn_redirect_to_access_restricted_page_on_deny Enable redirection to the “Access restricted” page if access is denied.
nsapimgr -ys call=toggle_vpn_use_cdn_for_access_restricted_page Use the “Access restricted” page hosted on CDN.

Note:

  • To disable the toggles that do not have separate disable commands, run the same command again. This is applicable only for commands that have “toggle” in the command.
  • To verify whether the toggle is on or off, run the nsconmsg command.
  • To configure smart access tags on NetScaler Gateway, see Configure contextual tags.

Persist Secure Private Access provider settings on NetScaler

To persist the Secure Private Access provider settings on NetScaler, do the following:

  1. Create or update the file /nsconfig/rc.netscaler.
  2. Add the following commands to the /nsconfig/rc.netscaler file.

    nsapimgr -ys call=ns_vpn_enable_spa_onprem

    nsapimgr -ys call=toggle_vpn_enable_securebrowse_client_mode

    nsapimgr -ys call=toggle_vpn_redirect_to_access_restricted_page_on_deny

    nsapimgr -ys call=toggle_vpn_use_cdn_for_access_restricted_page

  3. Save the file.

The Secure Private Access provider settings are automatically applied when NetScaler is restarted.

Enable Secure Private Access provider on NetScaler Gateway

Starting from NetScaler Gateway 14.1–25.56 and later, you can enable the Secure Private Access provider on NetScaler Gateway by using the NetScaler Gateway CLI or the GUI.

CLI:

At the command prompt, type the following command:

set vpn parameter -securePrivateAccess ENABLED

GUI:

  1. Navigate to NetScaler Gateway > Global Settings > Change Global NetScaler Gateway Settings.
  2. Click the Security tab.
  3. In Secure Private Access, select ENABLED.

Enable Secure Private Access

Upload public gateway certificate

If the public gateway is not reachable from the Secure Private Access machine, then you must upload a public gateway certificate to the Secure Private Access database.

Perform the following steps to upload a public gateway certificate:

  1. Open PowerShell or the command prompt window with the admin privileges.
  2. Change the directory to the Admin\AdminConfigTool folder under the Secure Private Access installation folder (for example, cd “C:\Program Files\Citrix\Citrix Access Security\Admin\AdminConfigTool”).
  3. Run the following command:

\AdminConfigTool.exe /UPLOAD_PUBLIC_GATEWAY_CERTIFICATE <PublicGatewayUrl> <PublicGatewayCertificatePath>

Compatibility with the ICA apps

NetScaler Gateway created or updated to support the Secure Private Access provider can also be used to enumerate and launch ICA apps. In this case, you must configure Secure Ticket Authority (STA) and bind it to the NetScaler Gateway.

Note:

STA server is usually a part of Citrix Virtual Apps and Desktops deployment.

For details, see the following topics:

Known limitations

  • Existing NetScaler Gateway can be updated with script but there can be a significant number of possible NetScaler configurations that can’t be covered by a single script.
  • We recommend that you set ICA Proxy to OFF in the Secure Private Access enabled VPN virtual server.
  • If you use NetScaler deployed in the cloud, you must make changes in the network. For example, allow communications between NetScaler and other components on certain ports. For details on the ports, see Communication ports.
  • If you enable SSO on NetScaler Gateway, make sure that NetScaler communicates to StoreFront using a private IP address. You might have to add a StoreFront DNS record to NetScaler with a StoreFront private IP address.
NetScaler Gateway configuration for earlier versions